Building your IT security team

Good help is hard to find, and in the world of IT security, there's little question that finding the right people to defend your operations and corporate reputation is a cornerstone to achieving success.

Getting the necessary mix of security professionals together and finding the right way to keep them onboard and focused on your organizations' top priorities is no easy task, experts said, and demands year-round attention.

Speaking at the ongoing CSO Perspectives conference in Atlanta, leading security executives outlined their process for hiring, promoting, and training employees to maintain a desired level of corporate protection.

To find the type of people that you really want on your security workforce, one of the first things to remember is that a pile of certifications isn't necessarily as important as finding employees who will best fit in with your organizational culture, said Lynda Fleury, chief information security officer at Unum, a provider of corporate benefits programs.

"To me, attitude has more weight than skill. You can train people on security, network administration, and monitoring; expertise and knowledge is important, but a winning attitude and the ability to gel with staff and your corporate culture are key," Fleury said. "You want people who speak about 'we', not 'I', because in my experience there is never a single hero in IT security. If something is wrong, there is more than one person to blame, and no one individual is responsible for the team's success."

In addition to making sure that candidates are truthful in representing their skills by putting potential new hires through batteries of mock tests and running all the necessary background checks, once you've decided to bring someone onboard, it's also vital to first introduce them to line of business workers with whom they might interact.

One of Fleury's larger keys to success is aligning her team with overarching business objectives and getting people involved in company efforts that will impact IT security as early as possible, she said.

By introducing security job candidates to the business executives they will support in their respective roles, its easier to identify potential conflicts and ensure that you're getting the right person to step into the position, Fleury said.

Once hired, it's vital to continue to provide opportunities for workers to increase their value and advance their careers by making sure that they have access to additional training and graduate programs, said the Unum executive, who currently manages a staff of 28 security pros.

It's also important to retain a firm understanding of people's individual training and capabilities as part of a well-defined program that helps measure their performance, and to accrue data to for use in defending promotions, she said.

As part of its security recruiting and retention programs, Unum also uses a professional services firm, PriceWaterhouseCoopers, to make sure that it remains well positioned.

"We continue to look at measurement, it's always a challenge and we constantly ask PWC if we have the right people and if we're doing the right things. It's key to have that external view to help understand our strengths and weaknesses," said Fleury.